Difference between revisions of "Integrity (Anticheat)"

Full anticheat protection can only be reached with disabling older clients, so if you need to secure your server, you have to set Unreal.ini, Section [IpDrv.TcpNetDriver], AllowOldCLients=False.

Introduction

Before Unreal 227, cheat protections were stand-alone mods purely scripted. I am not going to list each known protection up to date and their strengths and weaknesses, but a general weakness of all of them is that they are all working within the limits of script alone. So, how to catch a DLL hack...?

The 2 main goals in 227 have been bug reduction and added security. The Unreal Integrity 227 package is the answer to the latter, capable of doing full file checks online comparing file checksums of the files the client is using towards either known lists of files or files the server can load itself.

Unreal Integrity should be able to catch any modified file in Unreal. Patches and exploit-fixes outside of this package take care of a lot of cheats (exploits) as well, so even without using this special package your online experience should already be improved.

Installation

Unreal Integrity should come readily installed already after you patched your Unreal to version 227. Nevertheless, you should ensure the u-file is present in your system directory and that this entry exists in your Unreal.ini:

ServerPackages=UnrealIntegrity

For older release up to 227h see old Integrity (up to 227h)

What Is Being Checked

1. Client Unreal Version
2. Client Computer Name
3. Client Console
4. Certain Fabrications of specific values
5. Unreal.exe, all loaded package files including DLLs, the Linux versions .bin and .so as well...
6. All checks are timed, failure to give expected replies to the server will lead to a kick (and possibly an automated ban).

4) Running

A server administrator will enable Unreal Integrity by adding the package's main mutator on the server startup (UnrealIntegrity.IntegrityServer):

Unreal.exe ...Game?Mutator=UnrealIntegrity.IntegrityServer ...

5) Settings and Ini

Settings are saved in UnrealIntegrity.ini. The settings can be accessed at Advanced Options -> Networking -> Unreal Integrity. The default settings should be "all right" for the Joe Average server, you may want to change some of them depending on the type of server you run.

• bPerformEndGameCheck - checks the client not only when joining but also when the game has ended.
• CheckTimeOut - how long the server will wait for integrity response from the client.
• min_ReCheck Time - how long to wait until a midgame check will be performed (when a player dies).

The following options define how to act if the specific event happens:

• event_ClientTimeOut
• event_DuplicatePackage
• event_FabricatedReply
• event_IllegalClientRequest
• event_IllegalConsole
• event_ModifiedPackage
• event_UnknownPackage

Possible options are:

• bTellPlayers - tell other players what happened
• bKick - kick the client
• bSessionBan - temporarily ban the client for the duration the current map is being played.
• bBan - full ban of the client until admin removes the entry manually.

SHALinkerCache.ini

This new ini takes care about the checksums used to validate the client. All packages to be validated need to be entered here. However, you don't need to add it manually, there are new commands to do this for you. There are 2 types of sections:

[Linker]

This section contains linker information about .u files and provides basic security against modified files and hacks. This protection was specifically implemented to check pre 227 clients and should be able to detect the currently known bots and cheats. Note that this protection is limited to Unreal packages (no dll and exe files) and may not be able to detect newer cheats. 227i contains already the checksums of the older clients for 224,225,226b and 226f as well as some popular packages. In order to add more entries, use the command:

ucc engine.linkerupdate <path>\<filename>.<extension>

It accepts also the "*" wildcard, this way you can easily add the custom packages running on your server. Example:

ucc engine.linkerupdate .\*.u

[SHA]

This section contains SHA256 checksums for the files of 227i clients. These checksums are used to validate all files in use, including native .exe and .dll files (also applies to Linux .so and .bin files) and is way extensive than the checks possible on pre 227i clients. In order to add new entries, you can use the command:

ucc engine.shaupdate <path>\<filename>.<extension>

It also accepts the wildcard "*", this will create checksums for every file (but it makes no sense for .ini files). Example:

ucc engine.shaupdate ..\SystemClassic\*

It is also possible to use some other tool to create the SHA256 checkum and add it manually.

Mod Programmers Considerations

Unreal Integrity was created with mod-compatibility in mind. It will not try to validate server actors that do not exist on clients and it will automatically try to find files and packages in its home directory system if a package name is encountered which is not yet loaded in the current session.

Interfaces

There is one interface in the Unreal Integrity server. Mods may indicate that "NOW" would be a good time for rechecks on players. Basically every round-based gametype is a prime example for such a feature, because the mod knows when a round is over, at which time checks would (not likely) interfere with any player-critical gameplay.

For mods it is not needed to use this 227 feature to actually HAVE 227 at compile time in order to use it. What mods have to do is:

• Find the "UnrealServer" mutator (e.g. via "IsA(...)")
• call "trigger()" on it, using the mutator itself as first parameter

Example code:

 // demonstration code how to suggest to the mutator
 // when to perform rechecks of everyone from OUTSIDE 227
 // MOD PROGRAMMERS: COPY AND PASTE THIS INTO YOUR CODE :)
 final function TriggerInGameChecks()
 {
 	local Mutator mut;
 	for(mut = Level.Game.BaseMutator; mut != none; mut = mut.NextMutator)
 	{
 		if (mut.IsA('IntegrityServer'))
 			mut.Trigger(mut,none);
 	}
 }

You can also initiate mid-game scan for one specific player by giving a trigger instigator:

 final function MidGameScanClient( PlayerPawn Other )
 {
 	local Mutator mut;
 	for(mut = Level.Game.BaseMutator; mut != none; mut = mut.NextMutator)
 	{
 		if (mut.IsA('IntegrityServer'))
 			mut.Trigger(mut,Other);
 	}
 }

Future Versions

Unlike other packages, the Unreal Integrity package CAN NOT BE MADE NETCOMPATIBLE across versions, so with each new Unreal patch, a new Integrity Package must be created.

Server administrators will need to adjust their mutator line in the server startup and possibly the serverpackages if the updater did not take care of it. Other than that, everything is supposed to remain as is.

Configuration Tips for special purpose servers

As already stated, the "default" values should take of most any normal server around. You may encounter problems or wish to enhance performance in certain areas though.

1vs1 servers

If you want to check the client to be checked every time the player dies, set the MinRecheckTime value very low.

Largely modded servers

If you have a lot of custom packages installed, checks will take very very long. So maybe, in order to avoid midgame checks, increase the MinRecheckTime > Maptime.

Example Setup

A good basic setup can be reached with the following settings, which will affect the gameplay only very minimal, if at all.

[UnrealIntegrity.IntegrityServer]
event_ClientTimeOut=(bTellPlayers=True,bKick=True,bSessionBan=False,bBan=False,offenseName=" timed out during a check.",Message1="",Message2="",Message3="",Message4="")
event_IllegalConsole=(bTellPlayers=True,bKick=True,bSessionBan=False,bBan=False,offenseName=" has a non authorized console!",Message1="Please refrain from using custom consoles!",Message2="If you were on another server where your console",Message3="has been replaced, exit and restart Unreal.",Message4="(Some mods known for this: EDM, INFCD, Coop mods)")
event_IllegalClientRequest=(bTellPlayers=True,bKick=True,bSessionBan=False,bBan=False,offenseName=" sent an illegal request.",Message1="You may have a hacked/corrupted file or very bad lag...",Message2="",Message3="",Message4="")
event_FabricatedReply=(bTellPlayers=True,bKick=True,bSessionBan=True,bBan=False,offenseName=" gave a fake/fabricated reply - HACKED CLIENT!",Message1="If you wish to play online,",Message2="do not mess with original files!",Message3="",Message4="")
event_UnknownPackage=(bTellPlayers=True,bKick=True,bSessionBan=False,bBan=False,offenseName=" has an UNKNOWN package loaded!",Message1="Please exit and restart Unreal to",Message2="unload the package. Check if you have mods",Message3="or skins loaded that are not used on this server",Message4="and make sure they are NOT LOADED when you rejoin!")
event_ModifiedPackage=(bTellPlayers=True,bKick=True,bSessionBan=True,bBan=True,offenseName=" has a MODIFIED package!",Message1="Please refrain from using modified files",Message2="when playing online!",Message3="",Message4="")
event_DuplicatePackage=(bTellPlayers=True,bKick=True,bSessionBan=False,bBan=False,offenseName=" has DUPLICATE of same package loaded!",Message1="Please try restarting Unreal to fix this error.",Message2="",Message3="",Message4="")
minReCheckTime=120.000000
CheckTimeout=40.000000
bPerformEndGameCheck=True
Verbosity=(bLogInit=True,bLogClientIDs=True,bLogClientChecks=True)

Legal notice

The copyright owners retain all rights not explicitely given. You, the user are allowed to use the package "as is" without any guarantees of its functioning, direct or indirect damages whatsoever.

UNDER NO CIRCUMSTANCES ARE YOU ALLOWED TO DISASSEMBLE, DECOMPILE, REVERSE ENGINEER OR SIMILARLY ANALYZE OR DISMANTLE THE PACKAGE FROM ITS ORIGINAL FILE.

USING THE UNREAL INTEGRITY PACKAGE IN ANY OTHER MANNER THAN THAT TO PROTECT YOUR UNREAL SERVER FROM CHEATERS IS ILLEGAL.

ALL RISK OF USING THE PACKAGE REMAINS WITH YOU.